AAA authorization show run in priv 7
Hi,Any one can help...
I have set up AAA on my network.
aaa authentication login default group tacacs+ group security local
aaa authorization exec default group tacacs+ group security local
aaa accounting exec default start-stop group tacacs+ group security
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 xyz
I want set prvilige on group basis.
I have created a group called test in ACS server and set comnand authorization on pergroup basis
& added show command with permit running-config as arguments.
My objective is give the user of test group priv level 7 but they can use show running-config.
Any help?
thanks in advance
Hi,
Thanks for your reply.It's nearly the exact what I wanted.However show running-config only shows like these
7206a#sh run
Building configuration...
Current configuration : 53 bytes
boot-start-marker
boot-end-marker
end
However #Show config
shows the proper running-config
Thanks
Similar Messages
-
Allow some show commands in AAA Authorization Set
I'm working on creating AAA authorization sets for our environment and ran into a question!
I'd like to be able to enable ALL show commands except 'show run'. I would also like to enable 'show run interface'. I've figured out how to enable all show commands and disable show run. The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable. Even if I try to explicitly enable it.
Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?
ACS Version 4.1.
Command set is configured:Changing it to 'deny running-config' does the exact same thing. It looks like it's seeing the 'show running-config' then stoping on that before anything else. I've tried adding 'permit run interface' in ACS and same thing. Other AAA Authorization set commands work just fine.
On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.
aaa group server tacacs+ SHS
server 10.10.11.200
aaa authentication login verifyme group TACACS+ local
aaa authorization config-commands
aaa authorization exec verifyme group TACACS+ local
aaa authorization commands 0 default group TACACS+
aaa authorization commands 1 default group TACACS+
aaa authorization commands 15 default group TACACS+
aaa accounting send stop-record authentication failure
aaa accounting exec verifyme start-stop group TACACS+
aaa accounting commands 15 default start-stop group TACACS+
aaa accounting network verifyme start-stop group TACACS+
aaa accounting system default start-stop group TACACS+
aaa session-id common
Debugs!
Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1
Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD
Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=
Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.
Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5
Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14
Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued
Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed
Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL
Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49
Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL
Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0) -
Acs4.1 & aaa authorization & permit show
Selam,
I want to deny all commands except "show run" for a group and for all network devices.
So I created a group on acs4.1 and attached with a "Shell Command Authorization Set" ("permit show runnig-config" - "deny unmatched commands")
than I used commands which you can see below:
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
NOW: rules are runnig for my new group but other groups which have full access for all devices are failing (% Authorization failed)
what can be the problem?
Thanks
Ozlemcreate another shell command authorization set for full access group and configure it for "unmatched commands - permit"
and do not enter any command for it.
That will work for you.
~Rohit -
Command Authorization Set Show Run Permissions Only
Hi All,
I am trying to set up aaa authorization using Cisco ACS 4.2 so that my Helpdesk Users have the ability to do show commands only.
I have followed the instructions from http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
and this doesn't work as intended.
I have followed the document to a tee but when I log in with my test2 user account it gives me user mode access only (> prompt) instead of Priv Exec (# prompt) but with only show command privileges! I guess this is because I am specifying level 1 access but that's what the doc says to do.......
My config is as follows:
Cisco 2811 Router
aaa new-model
aaa authentication login defaut group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
ACS 4.2 Config
Shell Command Authorization Set: Name = ReadOnlyAccess - Unmatched commands set to Deny, with the show command configured in the box below and I have checked the Permit Unmatched Args check box next to it
User: Test2 in UserGroup: ReadOnlyGroup with Enable options - Max Priv for any AAA Client: Level 1, TACACS+ - Shell (exec) box checked and Priv level checked and set to 1
Shell Command Authorisation Set - Assign a Shell Command Authorization Set for any network Device radio button selected specifying ReadOnlyAccess as the Command authorisation set to apply.
Thanks in advance
DavidAll,
I have resolved this issue by giving my Test2 User account Priv 15 access and then specifying the commands that can be permitted within the command authorisation set applied to all devices, which is the way I thought it should be done in the first place -
has anyone seen this on their dot1x configurations where the vlan info is missing on the show running-config? see port fast 2/0/3 below. the 3750 POE switch is running 12.2.55-SE7.
interface FastEthernet2/0/1
switchport access vlan 18
switchport mode access
switchport nonegotiate
switchport voice vlan 101
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event fail action authorize vlan 34
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 34
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust dscp
auto qos voip trust
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
storm-control broadcast level 1.00
spanning-tree portfast
spanning-tree bpduguard enable
interface FastEthernet2/0/2
switchport access vlan 18
switchport mode access
switchport nonegotiate
switchport voice vlan 101
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event fail action authorize vlan 34
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 34
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust dscp
auto qos voip trust
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
storm-control broadcast level 1.00
spanning-tree portfast
spanning-tree bpduguard enable
interface FastEthernet2/0/3
switchport access vlan 18
switchport mode access
switchport nonegotiate
switchport voice vlan 101
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event fail action authorize
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 34
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust dscp
auto qos voip trust
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
storm-control broadcast level 1.00
spanning-tree portfast
spanning-tree bpduguard enable
interface FastEthernet2/0/4
switchport access vlan 18
switchport mode access
switchport nonegotiate
switchport voice vlan 101
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event fail action authorize
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 34
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust dscp
auto qos voip trust
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
storm-control broadcast level 1.00
spanning-tree portfast
spanning-tree bpduguard enable
interface FastEthernet2/0/5
switchport access vlan 18
switchport mode access
switchport nonegotiate
switchport voice vlan 101
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event fail action authorize
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 34
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust dscp
auto qos voip trust
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
storm-control broadcast level 1.00
spanning-tree portfast
spanning-tree bpduguard enable
interface FastEthernet2/0/6
switchport access vlan 18
switchport mode access
switchport nonegotiate
switchport voice vlan 101
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event fail action authorize vlan 34
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 34
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust dscp
auto qos voip trust
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
storm-control broadcast level 1.00
spanning-tree portfast
spanning-tree bpduguard enableThe vlan info isn't missing, you have the option of either specifying which VLAN you want it dropped in to, or you can just say authorize the vlan that is configured with the 'switchport access vlan' command.
-
AAA Authorization Using Local Database
Hi Guys,
I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.For allowing limited read only access , use this example,
We need these commands on the switch
Switch(config)#do sh run | in priv
username admin privilege 15 password 0 cisco123!
username test privilege 0 password 0 cisco
privilege exec level 0 show ip interface brief
privilege exec level 0 show ip interface
privilege exec level 0 show interface
privilege exec level 0 show switch
No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
User Access Verification
Username: test
Password:
Switch>show ?
diagnostic Show command for diagnostic
flash1: display information about flash1: file system
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
switch show information about the stack ring
Switch>show switch
Switch/Stack Mac Address : 0015.f9c1.ca80
H/W Current
Switch# Role Mac Address Priority Version State
*1 Master 0015.f9c1.ca80 1 0 Ready
Switch>show run
^
% Invalid input detected at '^' marker.
Switch>show aaa server
^
% Invalid input detected at '^' marker.
Switch>show inter
Switch>show interfaces
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
Internet address is 192.168.26.3/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Switch>
Please check this link,
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Regards,
~JG
Do rate helpful posts -
Aaa authorization (device doesn't always go into enable mode)
When I log into the 4500 switch with my domain account, I get priv 1 only and have to “enable” with the local enable password to get to priv 15. How do I set this up to get directly to enable? The ACS 5.1 is setup with a authorization/shell profile for Priv 15, no problems there.
2821-RTR2#show run | incl aaa
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication login CONSOLE local-case line
aaa authorization exec default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
4500 that drops into enable mode
4500-SW1#show run | incl aaa
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication login CONSOLE local-case line
aaa authorization exec default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id commonOn the non-working device enable:
debug aaa authen
debug aaa author
debug tacacs
and post the results.
Also, on ACS 5.1 review the details for the authen/author on both the working and non-working devices and see if the desired shell profile is picked for the non-working device. -
AAA authorization fails, but still command is executed...
Hi everyone,
i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
Now I try to configure a loopback or Vlan interface, which should not be allowed.
COMMANDS IMPLEMENTED:
aaa authorization config-commands
aaa authorization commands 0 vty group tacacs+ none
aaa authorization commands 1 vty group tacacs+ none
aaa authorization commands 15 vty group tacacs+ none
line vty 0 15
authorization commands 0 vty
authorization commands 1 vty
authorization commands 15 vty
COMMAND AND OUTPUT FROM TESTING:
SWITCH(config)#int vlan 2
Command authorization failed.
DEBUG AAA AUTHORIZATION:
SWITCH#
Dec 7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
Dec 7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Dec 7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
Dec 7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
Dec 7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
RESULT:
SWITCH#sh run int vlan 2
Building configuration...
Current configuration : 38 bytes
interface Vlan2
no ip address
end
QUESTION:
I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
Is this me not understandig the basic concept of AAA or is this some other problem?
The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
The Tacacs runs Cisco Secure ACS4.2.0.124
Thanks,
TomHi Tom,
this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
hth
Herbert -
AAA Authorization with ACS Shell-Sets
Hi all,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
aaa group server tacacs+ ACS
server 10.90.0.11
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
tacacs-server host 10.90.0.11 key cisco
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
Hope you can help me with this one..
P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?Hi,
So here it is,
You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
This is what I suggest the commands back to normal level.
Below provided are steps to configure shell command authorization:
Follow the following steps over the router:
!--- is the desired username
!--- is the desired password
!--- we create a local username and password
!--- in case we are not able to get authenticated via
!--- our tacacs+ server. To provide a back door.
username password privilege 15
!--- To apply aaa model over the router
aaa new-model
!--- Following command is to specify our ACS
!--- server location, where is the
!--- ip-address of the ACS server. And
!--- is the key that should be same over the ACS and the router.
tacacs-server host key
!--- To get users authentication via ACS, when they try to log-in
!--- If our router is unable to contact to ACS, then we will use
!--- our local username & password that we created above. This
!--- prevents us from locking out.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!--- Following commands are for accounting the user's activity,
!--- when user is logged into the device.
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Configuration on ACS
[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
Provide any name to the set.
provide the sufficent description (if required)
(a) For Full Access administrative set.
In Unmatched Commands, select 'Permit'
(b) For Limited Access set.
In Unmatched commands, select 'Deny'.
And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
For example: If we want user to be only able to access the following commads:
login
logout
exit
enable
disable
show
Then the configuration should be:
------------------------Permit unmatched Args--
login permit
logout permit
exit permit
enable permit
disable permit
configure permit terminal
interface permit ethernet
permit 0
show permit running-config
in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
[2] Press 'Submit'.
[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
(cont...) -
AAA Authorization with RADIUS and RSA SecurID Authentication Manager
Hi there.
I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not. Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
#aaa new-model
#radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
#aaa authentication login default group radius enable
#aaa authorization exec default group radius local
I have also tried
#aaa authorization exec default group radius if-authenticated local
I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
I've turned on RADIUS debugging on the IOS device, and I dont get anything either
I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis." -- not sure if this is related to my issue?
I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurIDI don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine. -
Privilege command: the show run does not show the running-config
Hi,
Whenever I login using "user1" I can successfully authenticate however when I ussue the show run for user1. The only thing that I can see are the following:
R4#show run
Building configuration...
Current configuration : 13 bytes
end
R4#
I have put the command on the router as follows:
~~~~~~~~~~~~~~~~~~~~~
aaa new-model
aaa authentication login ACS group tacacs+ local
aaa authentication login NO-AUTH none
aaa authorization exec ACS group tacacs+ local
aaa authorization exec NO-AUTH none
aaa authorization commands 1 ACS-1 group tacacs+ local
aaa authorization commands 1 NO-AUTH none
aaa authorization commands 10 ACS-10 group tacacs+ local
aaa authorization commands 10 NO-AUTH none
aaa authorization commands 15 ACS-15 group tacacs+ local
aaa authorization commands 15 NO-AUTH none
username user2 privilege 15 password xxx
username user1 privilege 10 password xxx
tacacs-server host 10.50.31.6
tacacs-server directed-request
tacacs-server key xxx
privilege exec level 15 show
privilege exec level 10 show running-config
line con 0
exec-timeout 1000 0
authorization commands 1 NO-AUTH
authorization commands 10 NO-AUTH
authorization commands 15 NO-AUTH
authorization exec NO-AUTH
login authentication NO-AUTH
line aux 0
authorization commands 1 NO-AUTH
authorization commands 10 NO-AUTH
authorization commands 15 NO-AUTH
authorization exec NO-AUTH
login authentication NO-AUTH
line vty 0 4
authorization commands 1 ACS-1
authorization commands 10 ACS-10
authorization commands 15 ACS-15
authorization exec ACS
login authentication ACS
end
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Regards,
LorenzLorenz
I believe that the answer is that in implementing privilege levels Cisco designed the show run command so that if you do not have capability to change something that it will not show up in the show run. I believe the logic is that from a security standpoint if you are not authorized to change it you should not be able to see it in the config. So in your case if user1 is not able to change anything then they will not be able to see anything in show run.
HTH
Rick -
I use ACS ver 4.2, and set up the following configuration on the routers.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_auth local enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs + local
aaa authorization commands 15 default group tacacs + local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Everything works perfect, but I am trying to deny the 'show run' command using ACS command authorization sets. ( See attahment). All other commands are working, but no matter what I do the show run is un-sucessful. In the group, Max privilege for any AAA client set to 'Level 1'. and Shell (exec) is set to 'Privilege level 1 '. Any ideas?I have tried this in a v4.1 ACS and can deny the show run and show clock commands but allow all the other show commands:
The AAA config on the test device (Version 12.2.18 EW2 IOS) is:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Here is the output:
TESTSWITCH01#show clock
Command authorization failed.
TESTSWITCH01#show run
Command authorization failed.
TESTSWITCH01#show calendar
12:13:26 AEST Mon Apr 19 2010 -
AAA Authorization + Switch Cluster = Fail?
Hi, I had a Switch Cluster running with local authentication and authorization just fine (with aaa new-model). It's a stack of 3750-Xs and several 2960s, they've all been configured more or less the same way with a configuration template.
I added AAA authentication and authorization and I can still reach each of the switches individually, but when I try to rcommand "x" from the cluster commander, I get:
#rcommand 2
% Authorization failed.
One of the 2960s is a stack and when I run rcommand to that switch I get something different:
#rcommand 1
EBMIASWF1LB-01 tty1 is now available
Press RETURN to get started.
All other 2960s give me "% Authorization failed."
3750s are running:
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
2960Ses are running:
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
2960s are running:
Cisco IOS Software, C2960 Software (C2960-LANLITEK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
I tried a debug aaa authentication and aaa authorization on the member (destination) 2960 switch and I got this:
541120: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/BIND(00004788): Bind i/f
541121: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA: parse name=tty4 idb type=-1 tty=-1
541122: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0
541123: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/MEMORY: create_user (0x29DA580) user='radiususer' ruser='NULL' ds0=0 port='tty4' rem_addr='10.183.182.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)
541124: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/AUTHOR (0x4788): Pick method list 'default'
541125: Mar 7 2013 17:14:30.754 EST: CLUSTER_MEMBER_2: AAA/AUTHOR/EXEC(00004788): Authorization FAILED
541126: Mar 7 2013 17:14:32.859 EST: CLUSTER_MEMBER_2: AAA/MEMORY: free_user (0x29DA580) user='radiususer' ruser='NULL' port='tty4' rem_addr='10.183.182.128' authen_type=ASCII service=LOGIN priv=15
Debug on 2960S (stack) is the same.
The radius server is a Microsoft NPS (IAS on 2012) and all switches have AAA configured the same:
NPS is sending these AV Pairs:
shell:priv-lvl=15
Service-Type = Administrative
Service-Type = NAS-Prompt-User
Switches are configured like this:
aaa new-model
aaa group server radius RadiusAAA
server x.x.x.x auth-port 1645 acct-port 1646
server y.y.y.y auth-port 1645 acct-port 1646
ip radius source-interface VlanXX
deadtime 1
aaa authentication login default group RadiusAAA local
aaa authorization exec default group RadiusAAA if-authenticated local
aaa session-id common
! etc etc
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 <radius key>
radius-server host y.y.y.y auth-port 1645 acct-port 1646 key 7 <radius key>
radius-server deadtime 1
I've also tried moving around the
aaa authorization exec default group RadiusAAA if-authenticated local
to:
aaa authorization exec default group RadiusAAA local if-authenticated
But the results are the same... Telnet and SSH work great, but I'd like for the cluster to keep working!
Any ideas?
Thanks in advance for your help, I've spent a lot of time on this, and I don't even know if it's supported!
EstebanHere is a good doc that explains different errors:
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml -
Aaa authorization with Funk SBR EE
Hello,
I do not get aaa authorization with Funk SBR EE to work.
On our cisco switches I configure:
aaa authentication default group radius local
aaa authorization exec default radius local
On the Funk radius server I return
service-type login
Cisco-AVPAIR shell:priv-lvl=15
Authorization always fails and the debug output shows:
1063433: 46w0d: CLUSTER_MEMBER_1: RADIUS: ustruct sharecount=1
1063434: 46w0d: CLUSTER_MEMBER_1: RADIUS: Initial Transmit tty3 id 60 [**radius-ip**}:1812, Access-Request, len 82
1063435: 46w0d: CLUSTER_MEMBER_1: Attribute 4 6 C3A976E2
1063436: 46w0d: CLUSTER_MEMBER_1: Attribute 5 6 00000003
1063437: 46w0d: CLUSTER_MEMBER_1: Attribute 61 6 00000005
1063438: 46w0d: CLUSTER_MEMBER_1: Attribute 1 9 66726974
1063439: 46w0d: CLUSTER_MEMBER_1: Attribute 31 17 3139352E
1063440: 46w0d: CLUSTER_MEMBER_1: Attribute 2 18 8772DAFD
1063441: 46w0d: CLUSTER_MEMBER_1: RADIUS: Received from id 60 [**radius-ip**]:1812, Access-Accept, len 87
1063442: 46w0d: CLUSTER_MEMBER_1: Attribute 25 67 53425232
1063443: 46w0d: CLUSTER_MEMBER_1: RADIUS: saved authorization data for user 111BFD8 at D4E310
1063444: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Port='tty3' list='' service=EXEC
1063445: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: tty3 (3848954035) user='username'
1063446: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV service=shell
1063447: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV cmd*
1063448: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): found list "default"
1063449: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Method=radius (radius)
1063450: 46w0d: CLUSTER_MEMBER_1: RADIUS: no appropriate authorization type for user.
1063451: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR (3848954035): Post authorization status = FAIL
1063452: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: Authorization FAILED
1063453: 46w0d: CLUSTER_MEMBER_1: AAA/MEMORY: free_user (0x111BFD8) user='username' ruser='' port='tty3' rem_addr='[**client-ip**]' authen_type=ASCII service=LOGIN priv=1
What do I need to add to the radius server to make it work?
--JoergThe document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap -
AAA Authorization named authorization list
Ladies and Gents,
Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
Cisco.com extract below
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
My question is how do you define the Named Method List i.e. the none-default method list?
I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
Thanks in advance
DavidHi David,
An example of a named AAA list might look something like this:
aaa authorization exec TacExec group AAASrv local
In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
Below is a cut and paste from the AAA section on one of my devices:
aaa new-model
ip tacacs source-interface
tacacs-server host 10.x.x.x key 7
tacacs-server host 10.x.x.y key 7
aaa group server tacacs+ TacSrvGrp
server 10.x.x.x
server 10.x.x.y
aaa authentication login default local
aaa authentication login TacLogin group TacSrvGrp local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec TacAuth group TacSrvGrp local
aaa authorization commands 0 default local
aaa authorization commands 0 TacCommands0 group TacSrvGrp local
aaa authorization commands 1 default local
aaa authorization commands 1 TacCommands1 group TacSrvGrp local
aaa authorization commands 15 default local
aaa authorization commands 15 TacCommands15 group TacSrvGrp local
aaa accounting exec default start-stop group TacSrvGrp
aaa accounting commands 15 default start-stop group TacSrvGrp
aaa session-id common
Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
line con 0
exec-timeout 5 0
line aux 0
exec-timeout 5 0
line vty 0 4
exec-timeout 15 0
authorization commands 0 TacCommands0
authorization commands 1 TacCommands1
authorization commands 15 TacCommands15
authorization exec TacAuth
login authentication TacLogin
transport input ssh
For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
Hope this helps!
Maybe you are looking for
-
Select- Color Range- Results in Blue Screen (PC) (driver out of date)
I've been using the CS6 beta about two days. While experimenting with color range I experienced two consecutive blue screen crashes. The first time it happened,I was working with the color range selector and was replacing the selected areas with an
-
ECC 6.0 SR3 IDES installation problem
Hi, We are installing ECC 6.0 SR3 IDES on Solaris 5.10 and Oracle 10g. The disk space available for sapdata is 270 GB and the RAM of the server is 8 GB. 22 GB of SWAP we have maintained. The server has 2 physical processors and each processor has 4 c
-
Getting blank space after paragraph in RTF template
Hi there, Thanks so much for all your help for your help. I am running into one issue in RTF template, wanted to share with you to get any input on this. I have paragraph and Idid put in table at the top and there is xml tag that gives names after th
-
Not Able to add custom values in UNB 2.2 of Edifact Party configuration in BizTalk Server 2010
HI All, i am facing a peculiar problem in BizTalk 2010. i am using EDIFACT as EDI and created a party for the customer and agreement too. it was working fine before with custom UNB2.2 value as "ZZ". something has happened after deploying the new solu
-
Hello! My problem is that a link from a flash button in the upper frame opens in a new window instead of going into the main frame. The target of the flash is the name of the main frame. Please suggest any proposals. If there is need I'll post the co